In consultation with Cornell IT Security Office and Cornell financial administrators, two "standard" configurations of AWS accounts have been defined, one for general uses and one for research. Each configuration follows AWS, Cornell, and security best practices. Not all best practices can be implemented by policy and configuration. Individual AWS users also need to follow best practices see the Cloudification Services Tech Blog and AWS IAM best practices documentation.
TO DO : nat gateway, ip space, shibboleth, duo, fire walls, security groups, etc.
AWS VPC subnets are assigned to managed, private IP spaces
This ensures that Cornell private subnets (on-campus and in AWS) do not overlap and that private subnets are transparently and securely routed to AWS VPC subnets.
y
as needed
Security/Network
private AWS VPC subnets are provisioned with a NAT Gateway
This provides a secure route to the public internet so that AWS EC2 instances can retrieve software updates and remain un-exposed to the public internet. See AWS NAT Gateway documentation.
Each Cornell AWS account has access to the AWS Cost Explorer service to view history and projected costs for that account. Cost Explorer is generally easier to use than CloudCheckr, but it has less flexibility that CloudCheckr and requires AWS account access (something that Cornell financial staff may not want)
Security - AWS Config enabled
Config rules monitors infrastructure and will alarms if, e.g., CloudTrail becomes disabled for an account
.
y
y
Security
-
AWS CloudTrail enabled for all activity in all regions
AWS Config is a service that supports assessment, auditing, and evaluation of the configurations of AWS resources. The Cornell Config deployment utilizes Organization-wide Config Rules that check standard configurations and best practices.
IAM users can be used for service/programmatic access.
y
y
Security
baseline IAM password policy configured
The password policy will enforce complex passwords in the rare instances when an IAM user requires a password.
y
y
?
Security
Read Only role for AWS resources
This role allows the Cloudification Team to view Cornell AWS accounts while troubleshooting and offering assistance, while ensuring that account owners maintain account integrity.
y
y
Security
Management Role for AWS Resources
This role allows scripted management of these standard account configurations by the AWS Organization master account.
Cornell AWS accounts can optionally enable Regional Restriction to have account activity restricted to the four US-based AWS regions.
y
y
Security
Github Actions OIDC Provider
With the Github OIDC provider, Cornell cloud practitioners can use IAM Roles instead of access keys linked to AWS IAM users when a Github Action workflow requires access to a Cornell AWS account. See Github OIDC Provider for Cornell AWS Accounts for details.